Controlled Unclassified Information (CUI)

Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.  It is sensitive information that does not meet the criteria for classification but must still be protected.  

CUI, and data subject to ITAR and EAR, falls in the UMD data classification category of Restricted (Level 4) data; defined as data where access and use are strictly controlled and restricted by laws, regulations, or contracts. Unauthorized access, use, disclosure, or loss could have significant legal consequences, including civil and criminal penalties, loss of funding, inability to continue current research, and inability to obtain future funding or partnerships.

CUI falls in a “restricted research” category; as opposed to “fundamental research”, thus making it subject to federal regulations. Office of Research Administration (ORA) and the RSO work with sponsors to ensure appropriate agreements are in place to facilitate the use of CUI, and ensure appropriate compliance with UMD policies and procedures. The RSO will work with the PI and Division of IT on awards which involve CUI to prepare and administer Technology Controls Plans, which include physical and IT security controls.

The UMD Controlled Unclassified Information Environment (CUIE) is a NIST SP 800-171 and DFARS 252.204-7012 compliant IT environment used by UMD researchers for handling and analyzing Controlled Unclassified Information. Its physical equipment is hosted in one of the Division of Information Technology's (DIT) data centers. The system provides investigators a place to upload and store files, and access virtual machines for performing analysis. The CUIE is also approved for data subject to ITAR and Export Control rules. More information about the CUIE can be accessed through CUIE button below.

Please contact the Research Security Office and the Division of IT if you anticipate handling or working with any CUI due to the control requirements that must be met.